Posts From Randy Westergren

Randy Westergren
Randy Westergren

Randy is currently a Senior Software Developer/Security Analyst at XDA, where he's involved in most aspects of maintaining current software and developing new concepts. Before entering the development world, he was a Systems Engineer for a SMB, which helped build system skills that he still uses today.

Reverse Engineering the Subway Android App

Reverse Engineering the Subway Android App

July 10, 2015
It's great to see the increasing adoption of certificate pinning in Android apps. When I run into an app that throws connection errors while attempting to proxy requests, I tend to become more interested in diving deeper. Such was the case when I recently used the Subway app. Reversing the APK revealed cert pinning  among some other interesting findings.Starting the app while...
Multiple Vulnerabilities in Verizon’s FiOS Mobile API Exposing Customer Information

Multiple Vulnerabilities in Verizon’s FiOS Mobile API Exposing Customer Information

May 13, 2015
After recently finding a critical vulnerability in Verizon's My FiOS app, I thought it would be worth looking into their other apps available to customers. The FiOS Mobile app allows users to watch subscribed TV channel offerings on their mobile devices, as well as control their DVR, view On Demand histories, etc. Shortly after loading the app...
Privacy Vulnerability in TurboTax’s API

Privacy Vulnerability in TurboTax’s API

April 15, 2015
In the spirit of tax day, I wanted to write about my experience in reporting a privacy vulnerability in the most popular tax preparation software on the market: Intuit's TurboTax. I have been using TurboTax for quite a few years for my taxes and this year I found they offered an Android app. At first, I wondered...
Wawa Rewards Gift Card Takeover Vulnerability

Wawa Rewards Gift Card Takeover Vulnerability

April 9, 2015
Wawa stores are a favorite among customers in Pennsylvania, New Jersey, Delaware, and beyond. When the company recently announced a new Android app to launch with their rewards program, I was interested in installing it and researching how it worked. Soon after registering and associating a gift card to my account, I discovered a serious vulnerability that would allow an...
How I Cracked Trivia Crack

How I Cracked Trivia Crack

March 24, 2015
Trivia Crack is a highly popular game for both web and mobile platforms which is somewhat modeled after Trivial Pursuit. It's the latest craze in social gaming, allowing users to compete against their friends and strangers in answering questions from an array of categories. Though I've never been very interested in gaming, my wife has recently become a huge fan...
Visa and Other Gift Card Transactions Exposed by GoWallet Vulnerability

Visa and Other Gift Card Transactions Exposed by GoWallet Vulnerability

March 7, 2015
I recently received a Visa Gift Card and decided to use GoWallet to manage it, as advertised on the card's packaging. GoWallet offers the ability to manage most types of gift cards, allowing a user to view their card's current balance and past transactions.I signed up on their website and associated the card to my account. Next,...
Delmarva Power (Pepco) Account Takeover Vulnerability

Delmarva Power (Pepco) Account Takeover Vulnerability

February 8, 2015
I've been a long time customer of Delmarva Power, but only recently learned they had an Android App. I decided to install it and see how it worked behind the scenes. I quickly realized their API suffered from multiple IDORs, allowing an attacker to a completely takeover any user's account.As usual, I monitored the requests in the App by performing a...
Marriott Hotel Reservations and Payment Information Compromised by Web Service Vulnerability

Marriott Hotel Reservations and Payment Information Compromised by Web Service Vulnerability

January 25, 2015
Marriott has been been in the news lately regarding its stance on blocking customer WiFi communications in their conference centers. As a customer of Marriott, I questioned how well they "blocked" access to my sensitive information in their system. Being that the security of web services is notoriously neglected, I figured their Marriott International Android app would be...
Critical Vulnerability in Verizon Mobile API Compromising User Email Accounts

Critical Vulnerability in Verizon Mobile API Compromising User Email Accounts

January 18, 2015
As a Verizon FiOS customer, I had never used the My FiOS app for Android to manage my account. Since Verizon has a good amount of my information, I thought it would be a good candidate for research. I was right and the results were astonishing. I identified a vulnerability in one of the My FiOS web...
Privacy Vulnerability in Vivino Wine App

Privacy Vulnerability in Vivino Wine App

January 16, 2015
Vivino is one of the top wine apps out there, featuring the ability to get tons of information about a specific wine by taking a photo of the label. In my experience, it works well and can be very useful for the wine enthusiast. After some use of the app, I became interested in how it worked and...
Men’s Wearhouse Perfect Fit App Vulnerability Exposing Customer Information

Men’s Wearhouse Perfect Fit App Vulnerability Exposing Customer Information

October 27, 2014
Men's Wearhouse offers an Android app called Perfect Fit which allows customers to manage their accounts, track their rewards points, receive coupons, etc. As a customer myself, I already had an account with them and decided to review the requests the app was making while logging in and  accessing my information. In doing so, I immediately...
Multiple Vulnerabilities in CBS Sports’ Bracket Manager

Multiple Vulnerabilities in CBS Sports’ Bracket Manager

September 27, 2014
Every year during March Madness, XDA's landlord runs a bracket challenge, in which all tenants are free to join and submit their picks. They offer prizes to the top bracket submissions, using CBS Sports’ March Madness bracket service to manage the submissions and calculate the winners. I don’t know much about basketball, but I was...